NebuAd has made few friends, thanks to a business built on monitoring broadband customers' Web surfing to deliver advertisements. It certainly found none on Capitol Hill on Thursday.

The Redwood City, Calif.-based start-up was forced on the defensive during a hearing in which politicians charged that deep packet inspection of Internet traffic was far too privacy-invasive. Only if customers gave affirmative consent by opting in, they said, might the practice be acceptable.

Texas Rep. Gene Green called NebuAd's opt-out procedures "contemptible." To Pennsylvania Rep. Mike Doyle, the practice "goes against everything the country's been founded on." Michigan Rep. Bart Stupak wondered: "Why do I have to opt out? Why should the burden be on the American consumer?"

Subcommittee Chairman Ed Markey, a Massachusetts Democrat, suggested the business model was, without opt-in, flatly illegal. "We need to have remedial legal courses for some corporate general counsels," Markey said.

This was hardly a pleasant experience for NebuAd CEO Robert Dykes--who has already seen paying customers including Charter Communications pull the plug on his company's deep packet inspection service in response to pressure from politicians. Markey and his Republican counterpart, for instance, complained to Charter about NebuAd two months ago.

Dykes first claimed he was misunderstood. "I feel like Galileo when he was viewed with skepticism on demonstrating that the Earth revolved around the sun," Dykes said. "The science exists today and NebuAd is using it to create truly anonymous profiles that cannot be hacked or reverse-engineered."

But, under questioning from Markey, Dykes refused to answer whether he thought an opt-in standard should be applied. "I really must protest...I think you're forcing me into a 'Have you stopped beating your wife recently?'," he said. (Markey replied, to laughter: "No, no, no, it's 'Have you stopped beating the consumer?' is the question.")

The U.S. Congress, of course, has no direct role in regulating whether or not Charter and other broadband companies including CenturyTel, Wide Open West, and Embarq sign up with NebuAd or not. But as I wrote in an article on a Senate antitrust hearing this week, research has confirmed what common sense suggests: Congress sets the budget for federal agencies, and a congressional hearing makes them significantly more likely to bring lawsuits or other enforcement actions. And politicians can always rewrite the laws to explicitly outlaw NebuAd's business model.

NebuAd's potential legal problem is that what it's doing--intercepting a broadband customer's communications and determining what kind of ads may be relevant to display--looks a lot like wiretapping under existing law. And a wealth of complex and arcane state and federal laws specify when wiretapping is and is not legal, practically inviting federal regulators or state attorneys general to take action.

We published a detailed analysis two months ago, but the summary is that the Electronic Communications Privacy Act of 1986 (ECPA); the Communications Act of 1934; and the Cable TV Privacy Act of 1984 all may apply. Cable providers may need to obtain affirmative opt-in consent from customers, putting them at a competitive disadvantage to, say, AT&T and Verizon. The Center for Democracy and Technology's subsequent analysis published on July 8 reviews state laws as well.

For its part, NebuAd has posted a legal memo designed to defuse those criticisms. It argues that the 1986 changes to wiretap law have not been clarified by courts, and that the Cable Act may not apply to "any record of aggregate data which does not identify particular persons."

About the author

Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
See full bio